[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: reconsidering default exit policy

At 09:34 -0700 on 2005-08-29, Chris Palmer wrote:
> Richard Johnson writes:
>> But the controllers of those bots often will try to use tor.
> Do you have any evidence for this? I have assumed it was possible and
> that some people might do it, but have you actually seen it happen?

I have a few hearsay reports, and one piece of local evidence backing them up.

The reports are from sites who have notified $DAYJOB about IRC bots
connecting to carder, warez, etc. channels, often including details on
which channel participant IPs are controllers.  In a couple cases, the
alleged controllers were tor exit nodes.

I was able to confirm during investigation (forcing temporary layer 2
outages in order to cause the bots to do DNS lookups prior to reconnection,
etc.), that the reports were accurate about which participants were
controllers.  In one case out of about 10 total, I noticed that one of the
now confirmed controllers was a tor exit node.

I don't consider that apparent use of tor by kiddies to be a problem
(though some at $DAYJOB might disagree).  My focus is on preventing the
compromises in the first place, detecting them rapidly when they happen
anyway, and getting the systems back in service quickly after a rebuild and

Still, I remember thinking at the time that the kiddies behind that warez
group were unusually paranoid about being tracked.  After all, short time
bouncing through a trojaned Chinese and Romanian broadband user or two is
more than sufficient to break tracing by their adversary law enforcement
agencies, and is likely to be faster.

Normally, I make the time to report to network operators the IPs we see
participating in such activity, solely as a 'sorry to be the bearer of bad
news, but you might have a problem' deal.  I didn't bother to report that
one, as I assumed the traffic was coming through tor and thus wasn't
anomalous.  As I think back on it, however, I realize that's not
necessarily true.  It might have indicated a compromise of the host system

If I ever encounter this again (and I probably will, eventually, given the
number of sysadmins we have at $DAYJOB :-), I'll make a point of saying 'I
know you're running a tor node, but just in case this isn't tor exit
traffic, you might have a problem.'